assessment under Art. 15(4) GDPR detailed in section 6. In the same vein, messages that data subjects have sent to others in the form of interpersonal messages and deleted themselves from their device, that are still avaible to the service provider, may fall under the right of access. 105. Then again, there are situations in which the link between the data and several individuals may seem blurred to the controller, such as in the case of identity theft. In case of identity theft, a person fraudulently acts in the name of another person. In this context it is important to recall that the victim should be provided with information on all personal data the controller stored in connection with their identity, including those that have been collected on the basis of the fraudster’s actions. In other words, even after the controller learned about the identity theft, personal data is associated with or related to the identity of the victim and therefore constitutes personal data of the data subject. Example: An individual fraudulently uses the identity of someone else in order to play poker online. The perpetrator pays the online casino using the credit card they stole from the victim. When the victim finds out about the identity theft, the victim asks the provider of the online casino to provide him or her with access to personal data relating to him or her and more specifically to the online games played and information about the credit card used by the perpetrator. There is a link between the collected data and B as the latter’s identity has been used. After the detection of the fraud, the personal data mentioned above still has a link by reason of their content (the victim’s credit card is clearly aboutthe victim), purpose and effect (the information about the online games played by the perpetrator may for instance be used to issue invoices to the victim). Therefore, the online casino shall grant the victim access to the aforementioned personal data. 106. The putting in place and the supervision and revision of connection logs58 fall within the controller’s responsibility and are liable to be checked by the supervisory authorities. The controller should thus make sure that the persons acting under its authority who have access to personal data do not process personal data except on instructions from the controller, as per Art. 29 GDPR. If the person nevertheless processes the personal data for other purposes than fulfilling the controller’s instructions, it may become controller for that processing and subject to disciplinary or criminal proceedings or administrative sanctions issued by Supervisory Authorities. The EDPB notes that it is part of the employer’s responsibility under Art. 24 GDPR to make use of appropriate measures, extending from education to disciplinary procedures, to ensure that processing is in compliance with the GDPR and that no data breach occurs.
4.2.2 Personal data which “are being processed” 107. Paragraph (1) of Art. 15 GDPR moreover refers to personal data, which “are being processed”. The time reference point for determining the range of personal data falling within the access request has already been elaborated in section 2.3.3. The wording however also suggests that the right of access does not distinguish between the purposes of the processing operations. Example: A company processed personal data relating to a data subject in order to process their purchase order and arrange shipping to data subject’s home address. After these initial purposes for
58
A request for a preliminary ruling from the Itä-Suomen hallinto-oikeus (Finland) lodged on 22 September 2021 — J.M. Case C-579/21 is pending before the CJEU at the time of the publication of the public consultation version of these guidelines.
34 Adopted - version for public consultation
